Privacy policy
Version 3.0 · Last updated: 2026-06-05· Effective immediately.
This policy explains in plain language how VitaminDB (“we”, “us”) collects, uses, retains, shares, secures, and discloses personal data of visitors and registered users. It is written to satisfy the EU General Data Protection Regulation (Regulation 2016/679 — the “GDPR”), the UK GDPR + Data Protection Act 2018, the EU ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), the German TTDSG, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and its regulations, the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Brazilian Lei Geral de Proteção de Dados (LGPD), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25, and the Swiss FADP (revFADP).
Table of contents
- Controller and contact
- Scope
- Categories of personal data and lawful basis
- Sources of data
- Purposes of processing
- Categories of data we do NOT collect
- Cookies and similar technologies
- Disclosures and recipients
- Sub-processors
- International data transfers
- Retention schedule
- Security measures
- Personal data breaches
- Your rights — EEA / UK / Switzerland (GDPR)
- Your rights — California (CCPA/CPRA)
- Your rights — Other US states
- Your rights — Brazil (LGPD)
- Your rights — Canada (PIPEDA / Quebec Law 25)
- Sensitive data and special categories
- Children and minors
- Automated decision-making and profiling
- Data protection impact assessments
- Law enforcement requests
- “Sale”, “sharing”, and targeted advertising
- Authorized agents (CCPA)
- Annual privacy metrics
- Changes to this policy
- Contact and complaint procedure
1. Controller and contact
The data controller for purposes of GDPR Art. 4(7) and equivalent provisions in UK GDPR, LGPD, and Quebec Law 25 is MonacoWebPix, a sole-trader enterprise (exploitation directe) registered in the Principality of Monaco under RCI 25P10884, at C/o CATS, Le Forum, 28 Boulevard Princesse Charlotte, 98000 Monaco. The CCPA “business” is the same legal entity. Address: available on written request at [email protected].
Under GDPR Art. 37 we are not required to appoint a Data Protection Officer (DPO) because our core activities do not consist of large-scale processing of special-category data or large-scale systematic monitoring. We will appoint a DPO if and when those thresholds are crossed. Our designated privacy contact is the controller above and remains the single point of contact for all privacy matters across jurisdictions.
Single contact point under the EU Digital Services Act (Regulation 2022/2065, Articles 11–12): [email protected] — English, Portuguese, German, French accepted.
2. Scope
This policy covers personal data processed in connection with: (a) the public website at vitamindbc.com and all subdomains; (b) the optional Telegram bot integration; (c) email digests and transactional emails sent from @vitamindbc.com addresses; (d) interactions with our staff via the email channels listed on the contact page; and (e) any future mobile app published by us. It does not cover the privacy practices of third-party merchants we link to via affiliate redirects — those merchants are independent controllers of any data they collect after you leave VitaminDB.
3. Categories of personal data and lawful basis
Under GDPR Art. 13–14 and equivalent transparency rules, every category of personal data we process is listed below with its specific purpose and lawful basis. We minimise each category to what is necessary under GDPR Art. 5(1)(c).
| Category | Specific data fields | Purpose | GDPR Art. 6 basis | Retention |
|---|---|---|---|---|
| Account identity | Email, display name, OAuth provider ID, avatar URL | Authentication, account management, transactional comms | (b) contract performance | Account life + 14-day cool-off; then anonymized |
| Authentication credentials | Hashed password (Argon2id), session token, CSRF token | Login + session security | (b) contract + (f) legitimate interest in security | Session 30d sliding window; password until rotated |
| Submitted content | Deal posts, vote events, comments, stacks, saved items | Deliver core service | (b) contract | Anonymized on account deletion; aggregated stats kept indefinitely |
| Network telemetry | IP address, user-agent string, request timestamp, path | Rate limiting, abuse detection, security incident response | (f) legitimate interest | 30 days raw; aggregates indefinite |
| Affiliate click events | Deal id, source page slug, timestamp, click count | Commission attribution, fraud detection, content optimisation | (f) legitimate interest + (a) consent for the merchant cookie | 24 months in our DB; merchant cookie per their policy |
| Analytics events (consented) | Page views, referrer (domain only), screen size category | Audience measurement, content optimisation | (a) consent | 12 months |
| Cookieless analytics (Plausible) | Aggregate page + outbound-link counts, referrer (domain only), country, device type — no cookies, no cross-site identifier | Audience measurement, content optimisation | (f) legitimate interest (cookieless, no device storage) | No device storage; aggregates held by Plausible |
| Email opt-ins | Email + opt-in event, channel (newsletter, alerts), suppression flags | Send subscribed digests | (a) consent for promotional, (b) for transactional | Until unsubscribe + 6 month suppression list |
| Telegram chat ID | Chat ID, username (if public), opt-in event | Bot notifications you opted into | (a) consent | Until you unlink the bot |
| Moderator audit log | Action type, target id, moderator id, reason, timestamp | Accountability, appeal handling, DSA Art. 17 statements of reasons | (c) legal obligation + (f) legitimate interest | 5 years (mirrors EU DSA retention guidance) |
| Support correspondence | Email message body and headers you send us | Respond to your request | (b) for service requests, (f) for general inquiries | 24 months after last interaction |
| DSA notice records | Notice content, claimant identity, decision, statement of reasons | DSA Art. 16 / 17 compliance | (c) legal obligation | 5 years |
| Browser-level consent | vdb-consent-v1 JSON in localStorage (your choices + timestamp) | Honour your cookie preferences | (c) legal obligation under ePrivacy + (a) consent | Until you clear it |
| Sensitive personal information (CPRA) | — None collected. We never process precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic, biometric, sex life, sexual orientation, or health diagnoses. — | N/A | N/A | N/A |
4. Sources of data
- Directly from you — when you register, post content, subscribe to a newsletter, contact us, or link the Telegram bot.
- From your device automatically — IP address, user-agent, language and screen size headers your browser sends with every HTTP request.
- From OAuth providers if you choose to log in with Google, GitHub, or another supported provider — only the fields you authorise (typically email, display name, avatar).
- From affiliate networks — aggregate commission reports per program; these reports do not contain individual end-user data.
- From sub-processors in operational reports (e.g. Sentry error events, which scrub IPs and user identifiers).
5. Purposes of processing
We process personal data only for the purposes listed below.
- To create and maintain your account.
- To authenticate you and protect your session against hijacking.
- To deliver content you submitted to other users (deals, comments, stacks, votes).
- To send you transactional communications (account changes, security alerts, content actions on your account).
- To send you the digests and alerts you opted into, and to honour your unsubscribe.
- To prevent fraud, spam, abuse, and unauthorised access.
- To handle abuse reports, copyright claims, DSA notices, and moderation actions.
- To measure aggregate site usage where you have consented.
- To attribute affiliate commissions accurately and detect fraudulent click patterns.
- To comply with legal obligations (tax records, DSA notice retention, court orders).
- To defend ourselves in legal proceedings.
- To improve VitaminDB — debugging, capacity planning, content gap analysis.
We do not process personal data for: behavioural advertising, sale to third parties for their own marketing, training of generative AI models, cross-context profiling, scoring of individuals, or any purpose that would be incompatible with the original purpose under GDPR Art. 5(1)(b).
6. Data we do NOT collect
- No GDPR Art. 9 special-category data (health diagnoses, genetic data, biometric IDs, racial or ethnic origin, religious beliefs, trade-union membership, sex life, sexual orientation, philosophical beliefs).
- No CPRA “sensitive personal information”: no precise geolocation, no government identifiers, no contents of mail/email/text outside our own correspondence, no genetic data, no biometric data, no health diagnoses, no racial/ethnic/religious data, no sexual orientation, no union membership.
- No Facebook Pixel, Meta Conversions API, TikTok Pixel, LinkedIn Insight Tag, X Pixel, Pinterest Tag, Snap Pixel, or equivalent ad-network tracking.
- No Google Analytics, no Mixpanel, no Amplitude, no Hotjar, no FullStory, no session replay tools.
- No browser-fingerprinting libraries (FingerprintJS, ClientJS) and no canvas-fingerprinting techniques.
- No cross-site cookies set by us.
- No payment card numbers — we do not run our own checkout. All purchases happen on the merchant’s own site under the merchant’s own privacy policy.
- No biometric data, no voice samples, no faceprints, no fingerprints.
- No health diagnoses, no medical records, no symptom logs.
- No SSN, passport number, driver’s license, or other government identifier.
- No social-graph imports (no “find friends” from your contacts).
7. Cookies and similar technologies
See our standalone cookie policy for the full enumeration of every cookie, similar technology, third-party identifier, and local-storage key we set, what it does, who sets it, and how long it lives. Summary principles:
- Essential cookies (session, CSRF, locale) require no consent and operate under the ePrivacy Art. 5(3) “strictly necessary” exemption.
- Analytics and affiliate-attribution cookies are set only after you opt in through the consent banner. We do not pre-tick boxes (EDPB Guidelines 05/2020).
- We do not use “cookie walls” that condition access on consent (EDPB Guidelines 03/2022).
- We honour the Global Privacy Control (GPC) browser signal as an opt-out across CCPA and similar US-state “sale”/“sharing” categories.
- You can change your choice at any time by clearing the
vdb-consent-v1key in your browser’s local storage, or by emailing us.
8. Disclosures and recipients
We disclose personal data only to:
- Sub-processors bound by GDPR Art. 28 / CCPA service-provider contracts — see Section 9.
- Public-facing content you choose to publish (your username next to your deal posts and comments) — this is the published version of your account, not a disclosure to a third party.
- Law enforcement and regulators on receipt of a binding legal demand — see Section 23.
- Successors in connection with a merger, acquisition, asset sale, or bankruptcy of VitaminDB; we will notify you at least 30 days in advance through the site and email.
- Professional advisors (lawyers, accountants, auditors) under their own duty of confidence.
We never disclose your personal data to brand sponsors, advertisers, or affiliate networks in identifiable form. Reports we receive from affiliate networks contain only aggregate commission counts and totals.
9. Sub-processors
Each sub-processor below operates under a written Data Processing Agreement that meets GDPR Art. 28(3). We assess every new sub-processor against the same security and privacy bar. Material additions trigger a 30-day notification window on this page.
| Sub-processor | Function | Hosting region | Transfer safeguard |
|---|---|---|---|
| Contabo GmbH (DE) | Application server, database, object storage | Germany (EU) | Within EEA — no transfer |
| Cloudflare, Inc. (US) | CDN, DNS, DDoS protection, WAF | EU + global anycast | EU SCC + DPF certification |
| Postmark / Resend | Transactional email delivery | US (with EU sending pool when available) | EU SCC + DPF |
| Sentry GmbH (DE) | Application error monitoring (IP truncated, PII scrubbed) | Germany (EU) | Within EEA |
| Telegram FZ-LLC | Bot notifications — only for users who explicitly link the bot | UAE / global infrastructure | User consent + minimal data shared (chat ID only) |
| Web Push services (Apple, Mozilla, Google) | Browser push notification delivery to your device | US + global | Standard browser-vendor pipeline; subscriptions are opaque tokens |
| GitHub, Inc. (US) | Source code hosting, deploy key access for CI | US (EU on enterprise) | EU SCC + DPF |
| Stripe, Inc. (US) | Payment processing & subscription billing — card data is handled by Stripe and never stored by us | US + global | EU SCC + DPF |
| Skimlinks (Connexity, Inc., US) | Outbound-link affiliate attribution — loads only after you grant affiliate-cookie consent | US + global | EU SCC + DPF |
| Affiliate networks — Amazon Associates, Awin, CJ, Rakuten Advertising | Commission attribution when you click a deal/coupon link through to a merchant | US / EU | EU SCC + DPF / per-network DPA |
10. International data transfers
Where personal data is transferred outside the EEA / UK / Switzerland to a country without an adequacy decision under GDPR Art. 45, we rely on one or more of the following Art. 46 safeguards:
- The European Commission’s Standard Contractual Clauses, Decision (EU) 2021/914, in their current form.
- The UK International Data Transfer Addendum (IDTA) or the UK’s Mountie reference to the EU SCCs.
- The Swiss Federal Data Protection and Information Commissioner’s approved SCC variant.
- Where applicable, the recipient’s self-certification under the EU-US Data Privacy Framework (DPF) and the equivalent UK Extension and Swiss-US DPF.
- Supplementary technical and organisational measures consistent with EDPB Recommendations 01/2020 (e.g. transport encryption, pseudonymisation, key separation).
On written request to [email protected] we will provide a redacted copy of the SCCs in force for any sub-processor.
11. Retention schedule
We retain personal data only as long as is necessary for the purpose for which it was collected, plus any retention period mandated by tax, accounting, or DSA-related legal obligations. Specific periods are listed in Section 3. Upon expiry we either delete the data, pseudonymise it irreversibly, or aggregate it so individuals are no longer identifiable. Backups containing personal data are encrypted, isolated from the production environment, and rotated through a 35-day rolling window.
12. Security measures
Under GDPR Art. 32 we have implemented technical and organisational measures appropriate to the risk, including:
- Transport encryption: TLS 1.3 only for end-user connections; HSTS with a 2-year max-age and preload.
- Database encryption at rest (Postgres TDE) and encrypted backups (age + age-keygen).
- Password hashing with Argon2id at site-tuned cost parameters.
- OAuth-only login by default; passwords optional and disabled at sign-up.
- Strong content security policy (default-src self, frame-ancestors none, no inline scripts except statically-hashed) deployed via the proxy layer.
- Subresource Integrity and signed cookies (SameSite=Lax + Secure + HttpOnly).
- Principle of least privilege for staff database access; production access requires hardware-key MFA.
- Audit logging of every moderation action and every administrative database operation.
- Automated dependency scanning on every commit; weekly patch cadence.
- Annual penetration testing scope-permitting; quarterly internal review of security controls.
- Secure-by-default infrastructure: SSH key-only on a non-default port; root login limited to deploy automation; fail2ban on auth surface.
- WAF and rate-limiting at the edge via Cloudflare.
13. Personal data breaches
In the event of a personal data breach as defined in GDPR Art. 4(12) we will:
- Contain and remediate within hours.
- Document the breach in our internal incident register (cause, scope, categories of data, mitigations).
- Notify the competent supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to natural persons (GDPR Art. 33).
- Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34), unless one of the exemptions in Art. 34(3) applies.
- Comply with equivalent breach-notification rules under UK GDPR, LGPD Art. 48, Quebec Law 25, CCPA §1798.82, and any applicable US state-law trigger.
- Publish a post-mortem on /changelog once remediation is complete and law-enforcement coordination, if any, permits.
14. Your rights — EEA, UK, Switzerland (GDPR)
Under GDPR Art. 12–22 + Art. 77, you have the right to:
- Access (Art. 15) — confirm whether we process your data and obtain a copy.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — have your data deleted in the cases listed in Art. 17(1).
- Restriction (Art. 18) — freeze processing while a dispute is resolved.
- Portability (Art. 20) — receive data you provided to us in a structured, commonly used, machine-readable format.
- Object (Art. 21) — object on grounds relating to your particular situation to processing based on legitimate interest, or to direct marketing (absolute right).
- Withdraw consent (Art. 7(3)) — without prejudice to lawful processing before withdrawal.
- Not be subject to automated decision-making producing legal or similarly significant effects (Art. 22) — we do none, see Section 21.
- Lodge a complaint with a supervisory authority (Art. 77).
To exercise any right, email [email protected]. We respond within 30 days under GDPR Art. 12(3), extendable by 60 days for complex requests with written justification. Self-service deletion and export are available from /profile/settings. We do not charge a fee unless your request is manifestly unfounded or excessive, in which case we will explain and let you choose to refine the request.
Monaco is not an EU member state. Personal-data processing is governed by Monaco Law n.º 1.565 of 3 December 2022 on personal data, which broadly mirrors the GDPR and is supervised by the Commission de Contrôle des Informations Nominatives (CCIN), 12 avenue de Fontvieille, 98000 Monaco. For users in the EU/EEA we have appointed an EU representative under GDPR Art. 27 (details available on request to [email protected]); EU users may also lodge complaints with their local supervisory authority. UK consumers: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Swiss residents: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern.
15. Your rights — California (CCPA / CPRA)
California residents have, under Cal. Civ. Code §§1798.100–1798.199, the rights to:
- Know what personal information we collect, use, disclose, and sell or share (we do not sell or share).
- Delete personal information collected from you.
- Correct inaccurate personal information.
- Opt out of any sale or sharing of personal information for cross-context behavioural advertising — we do neither.
- Limit the use and disclosure of sensitive personal information — we collect none.
- Non-discrimination — we will not offer different prices, levels of service, or quality based on your exercise of these rights, nor offer a financial incentive for waiving them.
- Access in a portable format.
To exercise any CCPA right email [email protected] with the subject “CCPA request”. We confirm receipt within 10 business days and respond within 45 days, with a possible 45-day extension on written notice. Requests we cannot verify will be denied with explanation.
We honour the Global Privacy Control (GPC)as a valid opt-out signal for “sale” and “sharing” purposes — even though we do neither, the signal is treated as a global opt-out across affiliate-attribution cookies.
16. Your rights — Other US states
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Iowa (ICDPA), Tennessee (TIPA), Montana (MCDPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire, and Indiana have rights substantially similar to the California rights above, with state-specific variations: access, correction, deletion, portability, opt-out of targeted advertising / sale of personal data / profiling for decisions producing legal effects, and an appeal of any denial. We extend the same operational process described in Section 15 to residents of all these states. State-specific verification, response times, and appeal windows match the strictest applicable state law in each request.
17. Your rights — Brazil (LGPD)
Under Lei n.º 13.709/2018 (LGPD) Art. 18, you have the right to confirmation, access, correction, anonymisation, blocking, deletion, portability, deletion of data processed under consent, information about with whom we share, information about your right to refuse consent, and the right to revoke consent. Contact [email protected]. The Brazilian supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD).
18. Your rights — Canada (PIPEDA / Quebec Law 25)
Canadian residents have rights under PIPEDA to access, correction, withdrawal of consent, and to file a complaint with the Office of the Privacy Commissioner of Canada. Quebec residents have additional rights under Loi 25 / CCQ Art. 35: portability, de-indexation/cessation of dissemination, information about automated decisions, and a right to be informed of any transfer outside Quebec or any disclosure to a third party.
19. Sensitive data and special categories
We do not collect, infer, or process GDPR Art. 9 special-category data or CPRA sensitive personal information. We do not infer health conditions from your browsing of nutrient categories — reading a vitamin D guide is not treated as a diagnosis or health attribute about you. Account data is never combined with affiliate click events to create a health profile.
20. Children and minors
VitaminDB is not directed to children. We do not knowingly collect personal data from anyone under 16 (or the higher digital age of consent in your jurisdiction — up to 18 in some US states under sectoral laws). If you believe a child has registered, email [email protected] and we will delete the account and associated data immediately. We do not engage in any practice that constitutes “targeted advertising” or “profiling” of minors as defined under EU GDPR or California AB-1394.
21. Automated decision-making and profiling
We do not engage in automated decision-making (within the meaning of GDPR Art. 22 or equivalent provisions) that produces legal or similarly significant effects on you. Deal ranking and content recommendations are editorial and follow the published methodology and editorial standards. Spam detection uses heuristic and rule-based scoring; humans review every actionable outcome.
22. Data protection impact assessments
Under GDPR Art. 35 we conduct a DPIA whenever a new processing activity is likely to result in a high risk to the rights and freedoms of natural persons. Triggers include: large-scale processing of special categories, systematic monitoring of public areas, or deployment of new tracking technology. Our current processing does not meet any DPIA trigger; the assessment is reviewed at least annually and on every material change.
23. Law enforcement requests
We disclose user data to law enforcement only in response to a valid, binding legal demand addressed to VitaminDB under the laws of Monaco or another jurisdiction where a Mutual Legal Assistance Treaty exists. We will:
- Verify the legitimacy and scope of the demand.
- Narrow the scope to the minimum data legally required.
- Notify the affected user where legally permissible.
- Refuse facially invalid or overbroad demands.
- Publish aggregate numbers in an annual transparency report (see /transparency).
24. “Sale”, “sharing”, and targeted advertising
We do not “sell” or “share” personal information within the meaning of CCPA/CPRA §1798.140(ad) and (ah). We do not engage in targeted advertising within the meaning of VCDPA / CPA / CTDPA / UCPA / TDPSA / OCPA / Quebec Law 25. Affiliate commissions are paid by merchants based on aggregate click reports, not by selling your personal data. We have not done so in the preceding 12 months, and we have not received any consideration for doing so.
25. Authorized agents (CCPA)
California residents may designate an authorized agent to make a privacy request on their behalf under Cal. Civ. Code §1798.135(c). The agent must provide signed permission from you and, for non-deletion requests, sufficient information for us to verify the agent’s authority and your identity. We may require you to confirm directly that you provided the agent permission.
26. Annual privacy metrics
Under CCPA §1798.130(a)(5)(B), where applicable, we will publish on /transparency annual numbers of: requests to know received, complied with, denied; requests to delete; requests to correct; requests to opt out (where applicable); median and mean response times. Below the statutory threshold we publish the same numbers voluntarily.
27. Changes to this policy
Material changes (new categories of data, new sub-processors, new disclosures, new purposes, jurisdictional expansions) are announced at least 30 days in advance through the site banner and an email to registered users where lawful. Continued use after the effective date constitutes acknowledgement. Every prior version is archived in our public changelog. The effective version is the one at the top of this page.
28. Contact and complaint procedure
For any privacy question, rights request, or complaint: [email protected]. We respond to every privacy email within 5 business days with an acknowledgement and a case number; substantive resolution times are listed per section above.
If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (see Sections 14–18 for jurisdiction-specific addresses) or to seek a judicial remedy in the competent court.